We have a custom external system which creates user accounts in an OU. We would like ARS to "watch" this OU and update a specific attribute of every newly created user. We have this working on a timed schedule but would like to make this more instant.
Thank You
I have ARS 6.7 with Exchange 2007; I have a requirment to create a bulk Groups in Active directory, about 500 groups.
The requirment is to create (Mail enabled Dynamic Security Group); I have LDAP query for each group. I can create it using GUI but it will take very long to create each group seperately.
Can some one help / guide how do i create using command line / script with in ARS?
Any help would be appreciated.
Thanks.
I'm trying to use the Search functionality in a scheduled workflow to generate a list of all Users that aren't members of one of a collection of groups.
I've created the workflow, added a Search widget, set the filters, set the notification, then added a Add Report Section widget and set its value. (Pretty much all based on the blog post.) However, when I run the workflow the Notification email isn't sent and the Run History doesn't show the new Report Section. Am I missing any steps?
When I use the above in ARS web interface, it tells me there is a policy violation with 'Department' must be filled in. But ther is no department tab anywhere on the form. I'm assuming its somehomw taken it from my New User Creation policy which has a drop down for dept? How do I stop it using the user new user provisoing policy for new mailboxes whether linkled /Shared etc...?
Thansk
We have a primary site from which 3 ARS related servicers provide user front end services (ARS Admin server, SQL host for the ARS admin and management history DB, IIS for ARS). This is SITE1. We have a secondary site we use for DR/BR in case SITE 1 is down.
This is SITE2. We also use SITE2 for all the scheduled tasks and quickconnect work. We also create our dynamic group rules from SITE2. Recently, we had an issue where the explicitly defined DNS host was taken offline - permanently, where our dynamic group lists all up-and-emptied their contents. We point to a different DNS structure now - but it raises the question. Is the dynamic group rule dependent upon the ARS host that initiated the group rule set to up/online and in communication with the original DC that it used to build the membership list?
Hi,
I have a powershell script for emailing a user when their AD password is due to expire. I works fine when run from the PowerGUI script editor but when I run it as an ActiveRoles scheduled task it fails.
It immediately fails by throwing "Domain 'MaximumPasswordAge' password policy is not configured."
I removed all the script logic and hard coded the $MaxPassAge to 45 then it fails to run Get-QADUser.
Its almost as if the ActiveRoles powershell modules are missing from the server but they are there and other policy scripts run fine using ActiveRoles modules.
Anyone got any ideas?
$ReqVersion = [version]"1.2.2.1254"
$QadVersion = (Get-PSSnapin Quest.ActiveRoles.ADManagement).Version
if($QadVersion -lt $ReqVersion)
{
throw "Quest AD cmdlets version '$ReqVersion' is required. Please download the latest version"
}
function Send-Mail
{
param($SmtpServer,$From,$To,$Subject,$Body)
$smtp = new-object system.net.mail.smtpClient($SmtpServer)
$mail = new-object System.Net.Mail.MailMessage
$mail.from= $From
$mail.to.add($To)
$mail.subject= $Subject
$mail.body= $Body
$smtp.send($mail)
}
$MaxPassAge = (Get-QADObject (Get-QADRootDSE).defaultNamingContextDN).MaximumPasswordAge.days
if($MaxPassAge -le 0)
{
throw "Domain 'MaximumPasswordAge' password policy is not configured."
}
$DaysToExpire = 60
$MailFrom = "helpdesk@domain.co.uk"
$PSEmailServer = "cas01"
Get-QADUser -identity "Bob.Tester" -Enabled -PasswordNeverExpires:$false -SizeLimit 0 -Email * |`
Select-Object Name,Email,@{Name="Expires";Expression={ $MaxPassAge - $_.PasswordAge.days }} |`
Where-Object {$_.Expires -gt 0 -AND $_.Expires -le $DaysToExpire } | Foreach-Object {
$Subject="Password reminder: Your password will expire in $($_.Expires) days"
if($PSVersionTable)
{
# PowerShell Version 2 detected
Send-MailMessage -From $MailFrom -To $_.Email -Subject $Subject -Body $Subject
}
else
{
# code for PowerShell v1
Send-Mail -SmtpServer $PSEmailServer -From $MailForm -To $_.Email -Subject $Subject -Body $Subject
}
}
Hi,
Can anyone offer some guidance on a good approach for deleting a users redirected MyDocuments folder during the deprovisioning process. I want to add that step to delete the folder recursively when the account is permanently deleted (say 30 days after deprovision). I've read and seen some scripts but not sure how to put it all together, or if that's even the right way to go. Some of the code snippets I've found and played with so far include:
$MyDocs=$([Environment]::GetFolderPath("mydocuments"))
Get-ChildItem $MyDocs -recurse | ForEach-Object {Get-Acl $_.FullName}
<then take ownership, presumably by the ARS service account>
My current ARS 6.7 deprovision policy looks like the attached screenshot.
Any advice is appreciated.
Thanks.
-Steve
I have a list of users in a text file that have been disabled. The script below is supposed to re-enable the accounts and move them back to there origonal OU. However upon running it I'm getting an error message:
Script:
Connect-QADservice -Proxy
$users = Get-Content C:\users.txt
$moveops = Get-QARSOperation -OperationType Move -InitiatedByMe -CompletedRecently 3
$moveops | foreach `
{
$dn = $_.targetobjectinfo.dn
$usercn = $dn.replace("CN=","").split(",")[0]
if($users -contains $usercn)
{
$userdn = $dn.split(",")
$userdn = [string]::Join(",",$userdn[((($userdn.count)*(-1))+1)..-1])
Move-QADObject -Identity $usercn -NewParentContainer $userdn
}
}
Disconnect-QADService
Error Message:
Please help!!
We have a primary site from which 3 ARS related servicers provide user front end services (ARS Admin server, SQL host for the ARS admin and management history DB, IIS for ARS). This is SITE1. We have a secondary site we use for DR/BR in case SITE 1 is down.
This is SITE2. We also use SITE2 for all the scheduled tasks and quickconnect work. We also create our dynamic group rules from SITE2. Recently, we had an issue where the explicitly defined DNS host was taken offline - permanently, where our dynamic group lists all up-and-emptied their contents. We point to a different DNS structure now - but it raises the question. Is the dynamic group rule dependent upon the ARS host that initiated the group rule set to up/online and in communication with the original DC that it used to build the membership list?
I am trying to call the Exchange cmdlets in a script that will remove any mailbox rules a user has setup when their account is deprovisioned.
I have the script below and I don't get any errors but the script isn't working, can anyone point me in the right direction?
function onPostDeprovision($Request)
. 'D:\Program Files\Microsoft\Exchange Server\V14\Bin\RemoteExchange.ps1' Connect-ExchangeServer Auto
if ($Request.Class -ne "user") { return }
Get-InboxRule -Mailbox "$Request" | Remove-InboxRule
Dear All!
I wonder if is possible to force user to authenticate (using domain username and password or smart card) on the workflow? For example when approver clicks Approve or Reject he or she have to authenticete (type user name and correct password or enter the PIN).
Best
Mariusz
Dear Quest ARS experts,
Let me explain my problem,
On Quest ARS script, when I call a local powershell script. It works fine,
Here is the piece of code, when it works fine:
But If I change the ARS script to call a script located on a DFS folder (UNC path), I get a error message like this:
Post-processing operation on object caused a policy violation.
here is the code, whe the $NotifScript is replace by the same script copied on a network share (on a DFS folder):
#Command lines to create computer and its job in Altiris
$NotifScript = "\\" + $DOMAIN + "\IAMroot\IAM-Scripts\LN-Notification.ps1"########
if (($LogActivate -eq $true) -or ($FullLogActivate -eq $true))
{
$EventLog.ReportEvent(2,"CreateNotification: NotifScript/" + $NotifScript + "/")
}
Start-Job -FilePath $NotifScript -name "sendNotification" -RunAs32 -ArgumentList $NotifStatus,$SendTo,$CcTo,$MsgBodyFields
Note: If I copy thie portion of code on PowerGui (installed also on Quest ARS server), It works fine. So the UNC is understandable
by a powershell command line. There is something strange on Quest ARS scripting editor context.
Is there a limitation with Quest ARS script to use UNC share or is it something to change on powershell ?
best regards
jacques
Policy: Runs the script 'Users Mgmt - NC - Step5'
Object: CN=Bugs BUNNY,OU=5-Material Allocation,OU=NewComer,OU=ARS Users Mgmt,OU=Office,OU=Users,OU=MUC,DC=iislab,DC=amadeus,DC=net
Details: The 'Script Execution' policy encountered an error when running the script 'Users Mgmt - NC - Step5'.
At line: -528 char:14. AuthorizationManager check failed.
#Command lines to create computer and its job in Altiris
$NotifScript = "D:\Quest Software\Scripts\LN-Notification.ps1"
if (($LogActivate -eq $true) -or ($FullLogActivate -eq $true))
{
$EventLog.ReportEvent(2,"CreateNotification: NotifScript/" + $NotifScript + "/")
}
Start-Job -FilePath $NotifScript -name "sendNotification" -RunAs32 -ArgumentList $NotifStatus,$SendTo,$CcTo,$MsgBodyFields
Hi
Following a recent update to 6.7 I am looking to revisit some of our processes and original VB scripts. Currently we have a lot a scripts that call a 'library' script to send an email. I want to improve on this and also ensure the scripts have a better lifecycle by using the build in 'EDS-Mail-Configuration' elements to provide the transport method.
Is it possible to use this in script modules? My initial target is a part of our administrative user deprovision process where an account marked for deprovision has an email sent to its owner saying its inactive and has been deprovisioned.
I know its possible to use the send-mailmessage command, but hardcoding the smtp server details does not seem to be most practical / extensible.
Thanks,
Paul
I am having a problem with obtaining the serialNumber attribute for computer objects in Active Directory using the Get-QADComputer cmdlet.
Using the following code, I get nothing back
Get-QADComputer -IncludeAllProperties OJR2UA0460YJP |fl serialNumber
However if I connect to the ARS service...
connect-QADService -proxy
Get-QADComputer -IncludeAllProperties OJR2UA0460YJP |fl serialNumber
It works and returns the contents of the serialNumber attribute.
Why won't the get-QADComputer cmdlet return the native attribute of serialNumber when connected to a domain controller?
Hi,
I have a powershell script for emailing a user when their AD password is due to expire. I works fine when run from the PowerGUI script editor but when I run it as an ActiveRoles scheduled task it fails.
It immediately fails by throwing "Domain 'MaximumPasswordAge' password policy is not configured."
I removed all the script logic and hard coded the $MaxPassAge to 45 then it fails to run Get-QADUser.
Its almost as if the ActiveRoles powershell modules are missing from the server but they are there and other policy scripts run fine using ActiveRoles modules.
Anyone got any ideas?
$ReqVersion = [version]"1.2.2.1254"
$QadVersion = (Get-PSSnapin Quest.ActiveRoles.ADManagement).Version
if($QadVersion -lt $ReqVersion)
{
throw "Quest AD cmdlets version '$ReqVersion' is required. Please download the latest version"
}
function Send-Mail
{
param($SmtpServer,$From,$To,$Subject,$Body)
$smtp = new-object system.net.mail.smtpClient($SmtpServer)
$mail = new-object System.Net.Mail.MailMessage
$mail.from= $From
$mail.to.add($To)
$mail.subject= $Subject
$mail.body= $Body
$smtp.send($mail)
}
$MaxPassAge = (Get-QADObject (Get-QADRootDSE).defaultNamingContextDN).MaximumPasswordAge.days
if($MaxPassAge -le 0)
{
throw "Domain 'MaximumPasswordAge' password policy is not configured."
}
$DaysToExpire = 60
$MailFrom = "helpdesk@domain.co.uk"
$PSEmailServer = "cas01"
Get-QADUser -identity "Bob.Tester" -Enabled -PasswordNeverExpires:$false -SizeLimit 0 -Email * |`
Select-Object Name,Email,@{Name="Expires";Expression={ $MaxPassAge - $_.PasswordAge.days }} |`
Where-Object {$_.Expires -gt 0 -AND $_.Expires -le $DaysToExpire } | Foreach-Object {
$Subject="Password reminder: Your password will expire in $($_.Expires) days"
if($PSVersionTable)
{
# PowerShell Version 2 detected
Send-MailMessage -From $MailFrom -To $_.Email -Subject $Subject -Body $Subject
}
else
{
# code for PowerShell v1
Send-Mail -SmtpServer $PSEmailServer -From $MailForm -To $_.Email -Subject $Subject -Body $Subject
}
}
In older versions of ActiveRoles there was a function i Selfservice calle "Mygroups" where users could add/remove members to groups that they where Managers of.
In ARS 6.8 this isn't avalible ..
Do anyone know if it's possible to add similar function via managed units / and web-interface extension..?
other suggestions?
Hi, i would like to query AD using powershell to get a list of all our users that are active, etc. However when i run the query, i receive all users that are both disabled and active. What is the query to show me only ACTIVE?
This is what i have so far...
Add-PSSnapin Quest.ActiveRoles.ADManagement
Get-QADUser -objectAttributes @{employeeID='*'} | select-Object firstname, lastname, employeeID, email, sAMAccountName, AccountisDisabled="false" | Export-Csv "C:\SUS-HR-DATA\Email_Address_Export\Email_Address_Export.csv" -NoTypeInformation
I have tried to substitute "AccountisDisabled" with multiple suggestions from online (edsaAccountIsDisabled, etc), but no luck.
Thanks,
Artie
Dear All!
I wonder if is possible to force user to authenticate (using domain username and password or smart card) on the workflow? For example when approver clicks Approve or Reject he or she have to authenticete (type user name and correct password or enter the PIN).
Best
Mariusz
